Scott,
I think it is safe to say that there is no "official" way
to prevent session hijacking like this, nor is there any
way to provide absolute assurance that it cannot be done.
There are several methods, however, that can make a hijack
much more difficult to accomplish without adversely
affecti
The problem with that is, if you have a proxy farm you never know which IP might be
used.
For instance, if the user is on AOL, every request to the server will probably have a
different IP.
Mike
*** REPLY SEPARATOR ***
On 02/01/2003 at 3:25 PM Marek Kilimajer wrote:
>This i
This is how it works, but you can tie session to a specific IP (still
not 100% safe)
scott wrote:
hi
I'm running PHP 4.2.3 as module with Apache 1.3.26 on OpenBSD 3.2 with the
chroot turned off (as it stopped the php_mail() funtion working, but if
anyone has the fix for that I will re-implement
It's called Session Hijacking.
And that is the normal behaviour.
Since you are supplying the session id it still thinks you are on the same session
until it has expired. (expiry time set in php.ini)
Mike
*** REPLY SEPARATOR ***
On 02/01/2003 at 12:48 PM scott wrote:
>hi
>
4 matches
Mail list logo
